Forum List Message List New Topic Print View

Ed W

August 28, 2010 06:38AM

On 27/08/2010 16:45, Jim Ohlstein wrote:
> On 8/27/10 11:22 AM, Ed W wrote:
>>
>> Create a test file test.jpg as follows:
>> # echo -e "\xff\xd8\xff\xe0\n<?php echo 'hello'; ?>" > test.jpg
>> # file test.jpg
>> test.jpg: JPEG image data
>>
>> Now try and upload this test.jpg file to your server. If it succeeds
>> then probably turn off the server until you fix the issue...
>
> It doesn't work on the apps I mentioned. It simply won't upload.

The apps you mentioned were vBulletin and IPB. I have done a little
more research on this and I believe I can smuggle in the PHP using jpeg
comments. The resulting file should pass all tests as a valid JPG, but
still be executable to the PHP interpreter...

The point is: my expectation is that with a bit of wriggling it should
be possible to find something which should get past your image upload
checks, but your PHP interpreter will still happily process it. If your
server is misconfigured to allow accidental execution of such files then
I think you have a gaping hole in your security... Bottom line is to
*completely disable* execution of all untrusted files (variety of ways
to do that of course)

Personally I don't believe in trusting *only* to the upload filtering to
secure a web application. There is simply too much subtlety here that a
well crafted file should eventually be able to bypass...

Ed W

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 11:28AM
Re: Possible widespread PHP configuration issue - security risk	zuborg	August 27, 2010 11:47AM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 11:50AM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:10PM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 12:18PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:30PM
Re: Possible widespread PHP configuration issue - security risk	vesperto	August 27, 2010 12:36PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:48PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:14PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:24PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:50PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:54PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:52PM
Re: Possible widespread PHP configuration issue - security risk	ubitux	August 27, 2010 01:56PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:10PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:16PM
Re: Possible widespread PHP configuration issue - security risk	mike	August 27, 2010 02:22PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:44PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 28, 2010 06:38AM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 12:22PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:46PM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 01:17PM
Re: Possible widespread PHP configuration issue - security risk	Maxim Dounin	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Boris Dolgov	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:38PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:52PM
Re: Possible widespread PHP configuration issue - security risk	Raina Gustafson	August 27, 2010 01:02PM
Re: Possible widespread PHP configuration issue - security risk	Ensiferous	August 30, 2010 12:46PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 312

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018